AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[Intl] Fix Null-der READ IsValidExtension<icu_64::Calendar>

Browse Source 
Consider the case that uloc_toLegacyType may return nullptr while
the specified keyword value cannot be mapped to a well-formed legacy type.

Bug: chromium:966285
Change-Id: I40511c54e4835599c002f1c678121341276a4e58
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627902
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61829}
This commit is contained in:
Frank Tang 2019-05-24 08:58:58 -07:00 committed by Commit Bot
parent 628431b214
commit 3846fc3a2e
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/objects/intl-objects.cc
View File

@ -1461,18 +1461,23 @@ namespace {
template <typename T>
bool IsValidExtension(const icu::Locale& locale, const char* key,
const std::string& value) {
const char* legacy_type = uloc_toLegacyType(key, value.c_str());
if (legacy_type == nullptr) {
return false;
}
UErrorCode status = U_ZERO_ERROR;
std::unique_ptr<icu::StringEnumeration> enumeration(
T::getKeywordValuesForLocale(key, icu::Locale(locale.getBaseName()),
false, status));
if (U_SUCCESS(status)) {
int32_t length;
std::string legacy_type(uloc_toLegacyType(key, value.c_str()));
for (const char* item = enumeration->next(&length, status); item != nullptr;
item = enumeration->next(&length, status)) {
if (U_SUCCESS(status) && legacy_type == item) {
return true;
}
if (U_FAILURE(status)) {
return false;
}
int32_t length;
for (const char* item = enumeration->next(&length, status);
U_SUCCESS(status) && item != nullptr;
item = enumeration->next(&length, status)) {
if (strcmp(legacy_type, item) == 0) {
return true;
}
}
return false;

10
test/intl/regress-966285.js Normal file
View File

@ -0,0 +1,10 @@
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-intl-add-calendar-numbering-system
var v = {};
Object.defineProperty(v.__proto__, "calendar",
{ get: function() { return -1; } });
assertThrows(() => new Intl.DateTimeFormat(v, 0), RangeError);